[attachment=12423]
CHAPTER 1
INTRODUCTION
1.1 OVERVIEW
With the increasing use of distributed systems, users often need to access multiple resources to finish a single business transaction. Traditionally, users have had to sign on to all these systems, each of which may involve different usernames and authentication requirements. With the introduction of the single sign-on technique, users can login once and be authenticated for all systems involved in a given business transaction.
PAM and PAM-aware applications reduce the complexity of authentication. With the use of PAM, the system administrator can choose to use the same user database for every login process of your system. PAM has a well defined API so that the PAM dependent applications will not crash even when the system administrator changes the underlying settings for the PAM. PAM can be taken advantage of by the application programmers if their application requires some kind of authentication. In this case, much less programming is involved and you don't have to write a complete set of authentication functions. appropriate back end to store user names and pas swords can be chosen by the system administrator.
As current authentication mechanisms evolve and as new authentication mechanisms are introduced, system entry services such as login, rlogin, and telnet must continually be customized to incorporate these changes. With the Pluggable Authentication Module (PAM) framework, multiple authentication technologies can be added without changing any of the login services, thereby preserving existing system environments. PAM can be used to integrate login services with different authentication technologies, such as RSA, DCE, Kerberos, S/Key, and smart card based authentication systems. Thus, PAM enables networked machines to exist peacefully in a heterogeneous environment, where multiple security mechanisms are in place. The PAM framework and the module interfaces provide pluggability for user authentication, as well as for account, session, and password management. login and other system-entry services can use the PAM architecture, and thus ensure that all entry points for the system have been secured.
1.2 PLUGGABLE AUTHENTICATION MODULE (PAM) FRAMEWORK
The JAAS authentication framework is based on Pluggable Authentication Module (PAM). JAAS authentication is performed in a pluggable fashion that allows an application to add more authentication modules. Java applications can remain independent from underlying authentication technologies, and thus both legacy and new authentication technologies can be seamlessly configured without requiring modifications to the application itself.
The JAAS authentication framework allows applications to define any number of login modules in the configuration file. The JAAS framework invokes these login modules in the order they were specified. Applications can also specify a flag to each login module to indicate the relative importance of that module. The overall authentication depends on the combined results of these individual authentication modules.
PAM allows different Web applications to authenticate users against its own data store, be it an LDAP server, relational database, NT domain, or even a file. PAM is the feature that enables developers to implement single sign-on among Web applications deployed on the same application server
AAS is a standard Java framework for performing a number of security related tasks, including login, custom authentication, and (through Java 2 extensions) authorization. WebSphere Application Server supports the use of JAAS for login and customized authentication (with the restrictions stated in this article). JAAS exposes an application-level programming interface (API) for use by applications, and a service programming interface (SPI) for the providers of its functionality. This model accomplishes the goal of insulating applications from service providers, thereby enabling portability across system platforms. Furthermore, JAAS follows the Pluggable Authentication Module (PAM) authentication model and so the service provider is completely pluggable through administrative configuration procedures.
Authentication sometimes involves more than one authentication system. To support this, JAAS is not only pluggable, but it is also stackable. This means a sequence of one or more mechanisms can be configured to drive the authentication process. Figure below is a high level representation of the JAAS model.
JAAS uses the concept of a subject to define a user. A subject is created at initial authentication time, and is really just a container for user information; it includes principal and credential data. Authentication is performed by login modules that are grouped into login configurations, providing the stackable authentication mechanism described above. Login modules have the ability to populate data into the subject. In WebSphere Application Server, this will include WSPrincipal and WSCredential objects. WSPrincipal is basically a Java principal, which is used to define an entity in Java such as a user, organization, or login ID. The WSCredential defines security information that will be used for authorization, such as group memberships.
JAAS control flow
As discussed above, the JAAS login process provides access to a series of login modules orchestrated into a login configuration. The JAAS invocation model consists of the caller (for example, a WebSphere Application Server container runtime) alternately calling JAAS components until all configured modules are invoked or a failure is encountered. Figure 3 shows this seesaw-like pattern of alternating control flow between the invoker and the JAAS modules.
The effect of each JAAS login module is driven by a configuration attribute with one of following values:
1. Required: The LoginModule is required to succeed. Irrespective of whether it succeeds or fails authentication still continues with the subsequent LoginModule list.
2. Requisite: The LoginModule is required to succeed. If it succeeds, authentication continues down the LoginModule list. If it fails, control immediately returns to the application (authentication does not proceed down the LoginModule list).
3. Sufficient: The LoginModule is not required to succeed. If it does succeed, control immediately returns to the application (authentication does not proceed down the LoginModule list). If it fails, authentication continues down the LoginModule list.
4. Optional: The LoginModule is not required to succeed. If it succeeds or fails, authentication still continues to proceed down the LoginModule list.
CHAPTER 2
LITERATURE SURVEY
The JavaTM Authentication and Authorization Service (JAAS) was introduced as an optional package (extension) to the JavaTM 2 SDK, Standard Edition (J2SDK), v 1.3. JAAS was integrated into the J2SDK 1.4.
JAAS represents the new Java security standard, as it has formally been added to the JDK 1.4 code base. From an architectural standpoint, JAAS implements a Java version of the Pluggable Authentication Module (PAM) framework. First released in May 2000 by The PAM Forum, the framework is a modularized architecture designed to support the seamless exchange of one security protocol component for another. The framework allows multiple authentication technologies and/or authentication approaches to be added without changing or interfering with any of the existing login services. PAM can be used to integrate login services with various authentication technologies, such as RSA, DCE, Kerberos, S/Key, and even to support smart card-based authentication systems.
Java Authentication and Authorization Service, or JAAS, pronounced "Jazz", is a Java security framework for user-centric security to augment the Java code-based security. Since Java Runtime Environment 1.4 JAAS has been integrated with the JRE - previously JAAS was supplied as an extension library by Sun.
JAAS's main goal is to separate the concerns of user authentication so that they may be managed independently.
CHAPTER 3
PROBLEM STATEMENT
Can a system provide efficient security while preserving the independence of various applications?
Although the single sign-on concept is appealing, implementing it is not at all easy because enterprise systems often have varying security requirements and a wide range of underlying technologies on which they are deployed. In Java environments, Java Authentication and Authorization Service (JAAS) has made implementation easier. JAAS, a significant enhancement to the Java security architecture, is an ideal tool for access control in a multi-user environment where users must be granted varying privileges. Unlike the standard JDK security model, which is code-source-based permission checking, JAAS controls access to resources with both code-source-based and user/role-based permission checking. Most importantly, the "pluggable" and stackable login module architecture that JAAS defines makes it instrumental in supporting legacy security implementations on different technologies and serves as a useful mechanism for implementing single sign-on.
3.1 NEED FOR PAM
PAM and PAM-aware applications reduce the complexity of authentication. With the use of PAM, the system administrator can choose to use the same user database for every login process of your system. PAM has a well defined API so that the PAM dependent appliations will not crash even when the system administrator changes the underlying settings for the PAM. PAM can be taken advantage of by the application programmers if their application requires some kind of authentication. In this case, much less programming is involved and you don't have to write a complete set of authentication functions. appropriate back end to store user names and passwords can be chosen by the system administrator.
CHAPTER 4
ARCHITECTURE
In an end-to-end application security model, JAAS provides authentication and authorization mechanisms to the Java applications and also enables them to remain independent from JAAS provider implementations. This framework features can be categorized into two concepts:
Authentication: JAAS provides reliable and secure API mechanisms to verify and determine the identity of who is executing the code
Authorization: Based on an authenticated identity, JAAS applies access control rights and privileges to execute the required functions. JAAS extends the Java platform access control based on code signers and codebases with fine-grained access control mechanisms based on identities.Like other security packages, JAAS also features a provider architecture and service-provider interface that allows different JAAS-based authentication and authorization provider modules to be plugged into a J2SE environment.